Source: Cointelegraph Original: "{title}"
The Ethereum-based DeFi protocol SIR.trading (full name Synthetics Implemented Right) has suffered a hacker attack, resulting in the theft of its total locked value (TVL), amounting to $355,000 (the value at the time of the attack).
The attack occurred on March 30 and was first discovered by blockchain security firms TenArmorAlert and Decurity, who issued warnings on the X platform to alert users to the risks.
The protocol's founder, Xatarrer (pseudonym), described the attack as "the worst news the protocol could face," but stated that despite this setback, the team still plans to continue the operation of the protocol.
Source: SIR.trading on X
"Crafty attack" targets contract treasury
Decurity described the attack as a "crafty attack," targeting the "vulnerable contract treasury" in the protocol that uses Ethereum's temporary storage feature.
According to Decurity, the attacker was able to replace the real Uniswap pool address used in the callback function with an address they controlled, redirecting funds from the treasury to the attacker's address. TenArmorAlert further explained that by repeatedly calling the callback function, the attacker successfully drained the protocol's TVL completely.
Source: Decurity
SupLabsYi, from the blockchain security company Supremacy, provided a detailed analysis of the attack on the X platform, stating that it may reveal security vulnerabilities in Ethereum's temporary storage.
The temporary storage feature was added to Ethereum during last year's Dencun upgrade. This new feature allows for temporary data storage, resulting in lower transaction fees compared to conventional storage.
According to SupLabsYi, this is still an "emerging feature," and this attack may be the first instance of exploiting its vulnerabilities.
SupLabsYi stated, "This is not just a threat to a single instance of uniswapV3SwapCallback."
TenArmorSecurity reported that the stolen funds have now been deposited into an address funded by the Ethereum privacy solution Railgun. Xatarrer has since contacted Railgun for assistance.
Documentation for SIR.trading shows that the protocol is marketed as "a new DeFi protocol for safer leveraged trading." The goal of the protocol is to address some challenges in leveraged trading, "such as volatility decay and liquidation risk, making long-term investments safer."
Despite aiming to provide safer leveraged trading, the protocol's documentation warns users that, although audited, its smart contracts may still contain vulnerabilities that could lead to financial losses—specifically noting that the platform's treasury is a vulnerable area.
"In SIR's smart contracts, undiscovered vulnerabilities or attacks could lead to the loss of funds. These issues may stem from complex logic in the treasury mechanism or leverage calculations that audits failed to uncover, exposing users to rare but catastrophic failures," the project documentation states.
Related: Android malware "Crocodilus" can control phones to steal cryptocurrency.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
